General
-
Target
6315f61070d193057e9c64317e06da463311f7b75e4861927f3c95ea93809208
-
Size
649KB
-
Sample
240901-k1xtdawfrp
-
MD5
0d2b703bddf492ff59c61b9e1924cafe
-
SHA1
2238e86fdb63bc1748253025a99c2d4d2fff062d
-
SHA256
6315f61070d193057e9c64317e06da463311f7b75e4861927f3c95ea93809208
-
SHA512
2d60273a1cc4e8eeac412f409db4d180a5e030845c1cbcdd601b26e8e55f29b04551a5718c563e369158a36da8c9397a98c04e45a15ad9a2e4ac49763191b0b2
-
SSDEEP
12288:vrVn8E3k3KXWMAj+Qw7lHVIONnQcf9TFaM3RbLkZX1aLFPka35Nny:vrVf3lPoBLD4Tx2XiPJZy
Static task
static1
Behavioral task
behavioral1
Sample
30507f7743a936de9f2e37f444a6fbfd7f5d684c9d22cd9354d1967e5333a89a.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
30507f7743a936de9f2e37f444a6fbfd7f5d684c9d22cd9354d1967e5333a89a.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
195.54.163.133 - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$ - Email To:
[email protected]
Targets
-
-
Target
30507f7743a936de9f2e37f444a6fbfd7f5d684c9d22cd9354d1967e5333a89a.exe
-
Size
705KB
-
MD5
08b45641b13ea906bfc7d47656c28573
-
SHA1
1c8f1759aa3f18b47952cd660542a5a72f522f15
-
SHA256
30507f7743a936de9f2e37f444a6fbfd7f5d684c9d22cd9354d1967e5333a89a
-
SHA512
2f70ff6bfeb50231dd7d645b5f9b500f7fd84ed17e3d642896b36c7b985db37046520da04e2ac72704bf31289fedbf3ec8824cc6cbb88675ae888afd56f327b7
-
SSDEEP
12288:+oW0xqd0fiXOond4GE9FT9rKDScUx7lWPMEyC/e+CMVkigU2kR:+olqdGiXOond1qxKpUB2MEyj+Ppgq
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2